Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/05/2025, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
-
Size
4.4MB
-
MD5
a5d9278cbbe4fe8f36e20f42ffaaef33
-
SHA1
fd1e19aaed6d9e08d164f987592618133b5728ff
-
SHA256
33c98b343bfb4807546e83f8cd1ce5adc868b8e5712d1598ea6b6e8bffbff777
-
SHA512
a8e4683fe16138da711172205c1206265950cc407bbb7bdba8c9ff079e904b9e7669929e72626cb3e138c09abc6582738f135f27763ebd62fd6d75b7cee1c3ed
-
SSDEEP
98304:ZWE4hFqotKGJnWLI2MXCT9b4vHwPOwAf8jTlwFTQ2C0u2gaR:ZGqotJ0MGb4fdwLnG21GgG
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral2/files/0x001a00000002b111-113.dat family_mofksys behavioral2/files/0x001d00000002b19e-120.dat family_mofksys behavioral2/files/0x001a00000002b1a0-138.dat family_mofksys behavioral2/files/0x001a00000002b1a5-148.dat family_mofksys behavioral2/files/0x001b00000002b1a4-184.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2117256398-1057710415-2142084777-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2117256398-1057710415-2142084777-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 9 IoCs
pid Process 1840 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 4900 icsys.icn.exe 4336 explorer.exe 5824 vs_setup_bootstrapper.exe 1508 spoolsv.exe 2244 svchost.exe 2856 spoolsv.exe 5328 svchost.exe 1112 explorer.exe -
Loads dropped DLL 21 IoCs
pid Process 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe 5824 vs_setup_bootstrapper.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language getmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vs_setup_bootstrapper.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4900 icsys.icn.exe 4900 icsys.icn.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 2244 svchost.exe 4336 explorer.exe 4336 explorer.exe 2244 svchost.exe 4336 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4336 explorer.exe 2244 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5824 vs_setup_bootstrapper.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 4900 icsys.icn.exe 4900 icsys.icn.exe 4336 explorer.exe 4336 explorer.exe 1508 spoolsv.exe 1508 spoolsv.exe 2244 svchost.exe 2244 svchost.exe 2856 spoolsv.exe 2856 spoolsv.exe 4336 explorer.exe 4336 explorer.exe 5328 svchost.exe 5328 svchost.exe 1112 explorer.exe 1112 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 5656 wrote to memory of 1840 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 78 PID 5656 wrote to memory of 1840 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 78 PID 5656 wrote to memory of 1840 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 78 PID 5656 wrote to memory of 4900 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 79 PID 5656 wrote to memory of 4900 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 79 PID 5656 wrote to memory of 4900 5656 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 79 PID 4900 wrote to memory of 4336 4900 icsys.icn.exe 80 PID 4900 wrote to memory of 4336 4900 icsys.icn.exe 80 PID 4900 wrote to memory of 4336 4900 icsys.icn.exe 80 PID 1840 wrote to memory of 5824 1840 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 81 PID 1840 wrote to memory of 5824 1840 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 81 PID 1840 wrote to memory of 5824 1840 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 81 PID 4336 wrote to memory of 1508 4336 explorer.exe 82 PID 4336 wrote to memory of 1508 4336 explorer.exe 82 PID 4336 wrote to memory of 1508 4336 explorer.exe 82 PID 1508 wrote to memory of 2244 1508 spoolsv.exe 83 PID 1508 wrote to memory of 2244 1508 spoolsv.exe 83 PID 1508 wrote to memory of 2244 1508 spoolsv.exe 83 PID 2244 wrote to memory of 2856 2244 svchost.exe 84 PID 2244 wrote to memory of 2856 2244 svchost.exe 84 PID 2244 wrote to memory of 2856 2244 svchost.exe 84 PID 4420 wrote to memory of 5328 4420 cmd.exe 89 PID 4420 wrote to memory of 5328 4420 cmd.exe 89 PID 4420 wrote to memory of 5328 4420 cmd.exe 89 PID 2244 wrote to memory of 1456 2244 svchost.exe 90 PID 2244 wrote to memory of 1456 2244 svchost.exe 90 PID 2244 wrote to memory of 1456 2244 svchost.exe 90 PID 3324 wrote to memory of 1112 3324 cmd.exe 92 PID 3324 wrote to memory of 1112 3324 cmd.exe 92 PID 3324 wrote to memory of 1112 3324 cmd.exe 92 PID 5824 wrote to memory of 2096 5824 vs_setup_bootstrapper.exe 93 PID 5824 wrote to memory of 2096 5824 vs_setup_bootstrapper.exe 93 PID 5824 wrote to memory of 2096 5824 vs_setup_bootstrapper.exe 93 PID 2244 wrote to memory of 5468 2244 svchost.exe 97 PID 2244 wrote to memory of 5468 2244 svchost.exe 97 PID 2244 wrote to memory of 5468 2244 svchost.exe 97 PID 2244 wrote to memory of 2900 2244 svchost.exe 99 PID 2244 wrote to memory of 2900 2244 svchost.exe 99 PID 2244 wrote to memory of 2900 2244 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5656 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Windows\SysWOW64\getmac.exe"getmac"4⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
C:\Windows\SysWOW64\at.exeat 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Windows\SysWOW64\at.exeat 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5468
-
-
C:\Windows\SysWOW64\at.exeat 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1112
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20250520083056_3f5622948bee4d9ea4518983f03b618a.trn
Filesize7KB
MD5435fc792976660135d01451242a0d696
SHA1d0416b19f6ef10e4098ca052df624aa0933e1dc1
SHA256afd97fd146873585b22371f94cd45e662e5d04435aa299497b9b5173fe25b277
SHA512e9f859e4b4cb58c74c8ba1db99342df453ff464ec21fd81cd418fff3d3fffd1ed1b9d1321138093915716dda7dbdab9fdd7b9b212c70a7e430c300524998868d
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
Filesize4.2MB
MD5f31be30464259e66a1caa8a3196b2d91
SHA174b4eeb5e7517707b04a01d4e0d9143b41495a49
SHA256db062cd6a3fe35d0f04873ca387c748417468439b80a11b5a1379b25b0465194
SHA51201923fd49e73c4bb56f806bc93cfbb11da14469a5a8f847d290b45faef0cd9f221b2af0b118196e99ffae30a8ff8749f8be372a9523ca5a885dcf7e13e89595c
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize19KB
MD52999091dfdc507751c83112b99ccf45c
SHA17bd85c761a84ffa95f40eca4a0755b966aa5f396
SHA25653b2d60f8a6904a474a12620623f8a3c8630e248f228398795c47941703b3654
SHA512fc61a4746996ec082baa020d578ad2cadf5c1c0fe3d5901351f7e179a9d36db5d43fa38acd97c34795a3b82532db928267155a181a1f1e459d87ab75a035efcd
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize115KB
MD55b8c95a244032aabc7b043af9c4e6111
SHA1c045eaa89b47b8cf7249cb406d34a796078e9835
SHA2565304aadfedfc2b74e78cefa04b7e5481add6ca9d295922454afd33812c4fa929
SHA512149df41ecc4849237d01c304ebb3b2d280db4a7a5dc7e4168d9fbfdddf31d1214c465754afc95fa2faeb8fcfffca151a3e0ae21d56784db19e31e1c8e9fc8dea
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize46KB
MD5355c1a112bc0f859b374a4b1c811c1e7
SHA1b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize582KB
MD52d276aa3eedf5d56d287cfa062cbf996
SHA15ccb1ead82b7047618825ebf60344076fc1f82fc
SHA25653843b1c80e18fd9581d18f9cb4f2b8d0096a8305db43784e760a6f168122155
SHA5127f71b2b1e1834ca247fdbe64d85ade3eaa8b2171d1fe9d6ed36ca3916129ac925ab01d7de336643d8e3bc2ebaac4083bd6cc6c311901ea392686bdd6730e4c19
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize307KB
MD5f010059bc2c2d7a8f9c9e96bd88d5a95
SHA1ddb9c2c07c0deabca0d7b7df56bfd64a7672de59
SHA25647cebe91571377764ffbf50d7c346975d80601ffc6211de7ff6c5ebbe7258f48
SHA51270f6001080f0754fc9e2eb39ab70a8daee743aacba7828373420219dcd6122414ad70c9d1860c653a6d932d1960e4b6495935ff13961695de2dfc051cca701e0
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.4MB
MD599208fd00d39640093d6db9a72d2205f
SHA1b8b2101026d1d0cc117be3ab56d334078b481b2f
SHA256c904d85273eed1173b229cd03593defaa3ff6afb8388ff77853e141d33788d02
SHA51217ae8fd7b66b68f3f36ede4055d64145f8990960064e7d49e7dfcbdf3b5c689df32f41e6876efaaa34ca3c1879a5c6ad5bc1463c0a7b081490badccbc35328b3
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize1012KB
MD5e3f32bd0c7ea3408258d44dd3a6a2459
SHA162bebff872c0e9bd1a46524584332a51aa3d7d10
SHA2567b409e6d96f602671f08243d0ed649e1c833271a331af2059f00add59a12140f
SHA51260d18615f5dd55675232dd4e372e3075a6646f3601298ab28f393c33354a2006d059dc63d601d04cf72746f6f0470ff00de0e1e1e3181118f3d36e2f8ded3a07
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize61KB
MD5370769c79ea79463adbf0c6476225935
SHA12d340026691f83e069c4a87125ca096b9f26c97e
SHA2564d1d5efd28d72c332ba87e1993cb35e46404753543c5563700b98a97aa3c42a6
SHA5125d3af80c54fda6d4d0de06f7b22722d400857743203a745bfcd1667e5e48ea8c2ef7b0c6ffede84b2ea2bd4b74a2ddc766c17392ed07f366d1f0a9b34eb5c63c
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Newtonsoft.Json.dll
Filesize705KB
MD500c34112da9e104a0deaebe2e71cc21a
SHA1f0ea635ef401d75f6ea939e71d750cff7f074d53
SHA2568e9dd1dc511093f7edd8b96e4e113e8761676210197093b6b59cb1e4bb46e277
SHA512141c3127c2ed281cdef9630f25f0febcb69322285188a0082e653ef33d00de593991f31585d05b2dafe6d439cae87a1f7788cbbb3a925bebf04bcad6c56993bb
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\System.Memory.dll
Filesize138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize621B
MD58024f977c83c16eed95e0358ee03b272
SHA12393025a5aebb33ec563cab32e6b2956b24a30d6
SHA256b3f28c843956917cd334b50476a52d2e23afafc48b8818ba13cf75b12c90a328
SHA512d182a5c8bc2616331b66bd41d568c868ecae70cd240b8776e2532607adf7ad20bdd44d56f0a351cb9aeae3cc583c312ff2727b900d869628c1cea0bf1f9f0236
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
Filesize404KB
MD50941bc3970a158835cfa9b769be06f47
SHA15bf04b54e308b75671ad4a00506cfaa207ffb9dd
SHA256f0ef5058eca8af96cc72c0505b0f5427b08c12f196c8afd3c13d7ecf4bc1cc1d
SHA51253a9ff67023113d27e267cda538e142b3a5b277e38229ad8969bd914093b2421756b5c704591a27102865e57fd2f2b0f22a837c2fb2ccd68efd3792960611edb
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize3KB
MD5aa49563d97bd34bb11ebe5ba7305adc9
SHA1930b61f0c1400e28823ce56212c4d9e0c673c750
SHA256405b6cfe55904b670ba0f0cfde16e14f37168192a4993a2f9d91886631145cad
SHA5121998a3edc5b5a06e775bac58d3bfe2a4623be0f9f1c55f1063240e9b735fdcf6b676aa133a90dca96161eb4128d16c9c8822bfe064391bc7e6b04fa45d03b199
-
C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.json
Filesize162B
MD5ad891c3b02a02419dc60db8c273a8315
SHA1141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA51264cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f
-
Filesize
206KB
MD5536290c5f5bcbe6b1a21e1579898d525
SHA1f3e7e9ac466a33ad5b739af20d726a83457b3667
SHA256b4d15ba1e4d0bf6487110161d9cfd0376f38dc1f6d19cd4f18e39ffaffa0e871
SHA512b8a7ac64bcce30eac8f74abaf1b65364fc1f38c3341019e3bb4eec162588a642d53c7055d1216f9a8a42e6caaf588380b73ad88a3e69d854eb2017c77e27c5c2
-
Filesize
207KB
MD565c66fc445aec631d1f6c353bdbe6544
SHA113782a996fedb56552bacc65da7b4cb635b6bb13
SHA256a2e518ebd821acee043d720a444bd4b64145be99613f759b43f27dbe45b492ae
SHA512caca41001c0f49f65f4ea2c7618b417ec647ff983f84df69b10d23375776e8fe0af1a6847d7a753578283bd4c259da24a98cdef34682d3598b85cccd9cfc06a6
-
Filesize
206KB
MD584bf7192a3940a58f5262bb5aaec1ed5
SHA17e9617cc050299230adb1211c25f4fc55d512a0d
SHA2568a83e2fbeeff710b23e753bd14a7bec18637478b44abaf3d7b050b01c77667af
SHA5125b163a74fedf5934cc262809266f72845555849417114a46c4871ad3c2427a8d0777b6cae0c3f892b3b9e9caa8aee30932e2c5fb640d12bb340617a7256fcb60
-
Filesize
206KB
MD58bb07607ed263a0275f0e564bee47eca
SHA1365edd7f8fe444bea5b9d345a9afb057fa4f82e4
SHA256f81c997e8fea452e334541c1048be5b4eec3031adda6a3cacb7348495971b969
SHA512199c16f95f57480d89049ef2cf6b12bf019a638e310c2a899f6722f941c183fefe632b6e6bc7174cf3e565f2a69fc981a3bdb369dba194295ecd4deebe81a56c
-
Filesize
206KB
MD5b016663811b5f0778773219253a0c615
SHA1d6aa0a85e65d9a7fa10f4ec3e825f698584881d4
SHA2563645fc671144bae40473d2d0f1f16cb8857dd458e1978567c476eebd176854fa
SHA5121f51c5f19c0b50930e0461cc903f170a6d59958a9fa47c696432fad561adfc3c5ef127220d77a3075058cc6c98b732dbba15694b138d90b0a7406140ccee4d47